Allow control characters in strings when CORB sniffs for JSON.

RFC7159 requires the control characters (U+0000 through U+001F) to be escaped, but in practice these characters might still appear in JSON resources on the web. To ensure that CORB protects such resources, this CL modifies CrossOriginReadBlocking::SniffForJSON so that it ignores control characters. This CL should be safe wrt backcompatibility, because `kYes` answer from sniffing would still indicate that the input is not valid Javascript. For example, the following is not valid Javascript, even if the string contains a control character: { "... <unescaped control character here> ..." : ... } Fixed: 1148397 Change-Id: I368a6971a911618344b4886f7c7ccc2f95d6187d Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2596879 Commit-Queue: Łukasz Anforowicz <lukasza@chromium.org> Reviewed-by: Charlie Reis <creis@chromium.org> Cr-Commit-Position: refs/heads/master@{#840402}

Allow control characters in strings when CORB sniffs for JSON.
RFC7159 requires the control characters (U+0000 through U+001F) to be escaped, but in practice these characters might still appear in JSON resources on the web. To ensure that CORB protects such resources, this CL modifies CrossOriginReadBlocking::SniffForJSON so that it ignores control characters. This CL should be safe wrt backcompatibility, because `kYes` answer from sniffing would still indicate that the input is not valid Javascript. For example, the following is not valid Javascript, even if the string contains a control character: { "... <unescaped control character here> ..." : ... } Fixed: 1148397 Change-Id: I368a6971a911618344b4886f7c7ccc2f95d6187d Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2596879 Commit-Queue: Łukasz Anforowicz <lukasza@chromium.org> Reviewed-by: Charlie Reis <creis@chromium.org> Cr-Commit-Position: refs/heads/master@{#840402}
a122d0fd · Lukasz Anforowicz · Chromium LUCI CQ · e39ac9e0 · a122d0fd · a122d0fd
Commit a122d0fd authored Jan 06, 2021 by Lukasz Anforowicz Committed by Chromium LUCI CQ Jan 06, 2021
2 changed files
--- a/services/network/public/cpp/cross_origin_read_blocking.cc
+++ b/services/network/public/cpp/cross_origin_read_blocking.cc
@@ -485,10 +485,6 @@ SniffingResult CrossOriginReadBlocking::SniffForJSON(base::StringPiece data) {
      // Whitespace is ignored (outside of string literals)
      if (c == ' ' || c == '\t' || c == '\r' || c == '\n')
        continue;
-    } else {
-      // Inside string literals, control characters should result in rejection.
-      if ((c >= 0 && c < 32) || c == 127)
-        return kNo;
    }

    switch (state) {

--- a/services/network/public/cpp/cross_origin_read_blocking_unittest.cc
+++ b/services/network/public/cpp/cross_origin_read_blocking_unittest.cc
@@ -2565,9 +2565,10 @@ TEST(CrossOriginReadBlockingTest, SniffForJSON) {
  EXPECT_EQ(SniffingResult::kMaybe,
            CrossOriginReadBlocking::SniffForJSON("{\"\\\""))
      << "Incomplete escape results in maybe";
-  EXPECT_EQ(SniffingResult::kNo,
+  EXPECT_EQ(SniffingResult::kYes,
            CrossOriginReadBlocking::SniffForJSON("{\"\n\" : true}"))
-      << "Unescaped control characters are rejected";
+      << "Unescaped control characters are accepted (a bit more like "
+      << "Javascript than strict reading of the JSON spec)";
  EXPECT_EQ(SniffingResult::kNo, CrossOriginReadBlocking::SniffForJSON("{}"))
      << "Empty dictionary is not recognized (since it's valid JS too)";
  EXPECT_EQ(SniffingResult::kNo,